classical hardness of the learning with errors problem
play

Classical hardness of the Learning with Errors problem Adeline - PowerPoint PPT Presentation

Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehl August 12, 2013 Adeline Langlois Hardness of LWE August 12, 2013 1/ 18 Our


  1. Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness of LWE August 12, 2013 1/ 18

  2. Our main result GapSVP in dimension √ n Not quantum A classical reduction from a worst-case lattice problem to the Learning with Errors problem with small modulus. Dimension n Polynomial in n Adeline Langlois Hardness of LWE August 12, 2013 2/ 18

  3. Outline 1. Lattices: definitions and problems 2. Lattice-based cryptography: LWE and a public-key encryption 3. Our main result: classical hardness of LWE for polynomial modulus 4. Other results on LWE. Adeline Langlois Hardness of LWE August 12, 2013 3/ 18

  4. Lattices and problems • • • • • • b 2 • • • • • b 1 • • • • • • Lattice L ( B ) = { � n 1= i a i b i , a i ∈ Z } , where the ( b i ) 1 ≤ i ≤ n ’s, linearly independent vectors, are a basis of L ( B ) . Adeline Langlois Hardness of LWE August 12, 2013 4/ 18

  5. Lattices and problems Definitions : ◮ 1 st minimum; ◮ 2 nd minimum. • • • • • • λ 2 • • • • • λ 1 • • • • • • Lattice L ( B ) = { � n 1= i a i b i , a i ∈ Z } , where the ( b i ) 1 ≤ i ≤ n ’s, linearly independent vectors, are a basis of L ( B ) . Adeline Langlois Hardness of LWE August 12, 2013 4/ 18

  6. Lattices and problems Definitions : ◮ 1 st minimum; ◮ 2 nd minimum. • • • • • • Problems : ◮ Shortest Vector Pbm. • • • • • b 1 (computational or decisional version) • • • • • • Lattice L ( B ) = { � n 1= i a i b i , a i ∈ Z } , where the ( b i ) 1 ≤ i ≤ n ’s, linearly independent vectors, are a basis of L ( B ) . Adeline Langlois Hardness of LWE August 12, 2013 4/ 18

  7. Lattices and problems Definitions : ◮ 1 st minimum; ◮ 2 nd minimum. • • • • • • Problems : b 2 ◮ Shortest Vector Pbm. • • • • • b 1 (computational or decisional version) • • • • • • ◮ Shortest Independent Vectors Pbm. Lattice L ( B ) = { � n 1= i a i b i , a i ∈ Z } , where the ( b i ) 1 ≤ i ≤ n ’s, linearly independent vectors, are a basis of L ( B ) . Adeline Langlois Hardness of LWE August 12, 2013 4/ 18

  8. Lattices and problems Definitions : ◮ 1 st minimum; ◮ 2 nd minimum. • • • • • • Problems : b 2 ◮ Shortest Vector Pbm. • • • • • b 1 (computational or decisional version) ◮ Shortest Independent • • • • • • Vectors Pbm. ◮ Approximation factor: γ . Conjecture There is no polynomial time algorithm that approximates these lattice problems to within polynomial factors. Adeline Langlois Hardness of LWE August 12, 2013 4/ 18

  9. GapSVP Gap Shortest Vector Problem (GapSVP γ ) Input : a basis B of a lattice Λ and a number d , Output : • yes : there is z ∈ Λ non-zero such that � z � < d , • no : for all non-zero vectors z ∈ Λ : � z � ≥ d . • • • • • • d • • • • • • • • • • • Best known algorithm: complexity 2 Ω( n log log n ) . log n Adeline Langlois Hardness of LWE August 12, 2013 5/ 18

  10. GapSVP Gap Shortest Vector Problem (GapSVP γ ) Input : a basis B of a lattice Λ and a number d , Output : • yes : there is z ∈ Λ non-zero such that � z � < d , • no : for all non-zero vectors z ∈ Λ : � z � ≥ d . • • • • • • d • • • • • • • • • • • Best known algorithm: complexity 2 Ω( n log log n ) . log n Adeline Langlois Hardness of LWE August 12, 2013 5/ 18

  11. GapSVP Gap Shortest Vector Problem (GapSVP γ ) Input : a basis B of a lattice Λ and a number d , Output : • yes : there is z ∈ Λ non-zero such that � z � < d , • no : for all non-zero vectors z ∈ Λ : � z � ≥ γd . • • • • • • γd • • • • • • • • • • • Approximation factor: γ . Best known algorithm: complexity 2 Ω( n log log n ) . log n Adeline Langlois Hardness of LWE August 12, 2013 5/ 18

  12. Hardness of GapSVP γ Conjecture There is no polynomial time algorithm that approximates this lattice problems to within polynomial factors. Adeline Langlois Hardness of LWE August 12, 2013 6/ 18

  13. LWE-based cryptography From basic to very advanced primitives ◮ Public key encryption [Regev 2005, ...] ; ◮ Identity-based encryption [Gentry, Peikert and Vaikuntanathan 2008, ...] ; ◮ Fully homomorphic encryption [Brakerski and Vaikuntanathan 2011, ...] . Advantages of LWE-based primitives ◮ Efficient, especially when the modulus is polynomial ; ◮ Security proofs from the hardness of LWE ; ◮ Likely to resist attacks from quantum computers. Adeline Langlois Hardness of LWE August 12, 2013 7/ 18

  14. The Learning With Errors problem [Regev05] LWE n q m s s find Given A A + , e n ◮ A ← U ( Z m × n ) , q ◮ s ← U ( Z n q ) , αq ◮ e ∼ D Z m ,αq with α = o (1) . Discrete Gaussian error Decision version: Distinguish from ( A , b ) with b uniform. Adeline Langlois Hardness of LWE August 12, 2013 8/ 18

  15. Public key Encryption ◮ An user A has two keys: ◮ one public pk A ◮ one secret sk A ◮ To encrypt a message M, anyone can use pk A . ◮ To decrypt a ciphertext C, only A can do it using sk A . Adeline Langlois Hardness of LWE August 12, 2013 9/ 18

  16. An example of Public-Key Encryption [Regev 2005] ◮ Parameters : n, m, q ∈ Z , α ∈ R , ◮ Keys : sk = s and pk = ( A , b ) , with b = A s + e mod q ֓ U ( Z n ֓ U ( Z m × n where s ← q ) , A ← ) , e ← ֓ D Z m ,αq . q ◮ Encryption ( M ∈ { 0 , 1 } ) : Let r ← ֓ U ( { 0 , 1 } m ) , r r u T = A , v = + ⌊ q/ 2 ⌉ . M b Adeline Langlois Hardness of LWE August 12, 2013 10/ 18

  17. An example of Public-Key Encryption [Regev 2005] ◮ Parameters : n, m, q ∈ Z , α ∈ R , ◮ Keys : sk = s and pk = ( A , b ) , with b = A s + e mod q ֓ U ( Z n ֓ U ( Z m × n where s ← q ) , A ← ) , e ← ֓ D Z m ,αq . q ◮ Encryption ( M ∈ { 0 , 1 } ) : Let r ← ֓ U ( { 0 , 1 } m ) , r r u T = A , v = + ⌊ q/ 2 ⌉ . M b ◮ Decryption of ( u , v ) : compute v − u T s , r r s s A A e + ⌊ q/ 2 ⌉ . M − = + small + ⌊ q/ 2 ⌉ . M � �� � � �� � v u T s If close from 0 : return 0 , if close from ⌊ q/ 2 ⌋ : return 1 . Adeline Langlois Hardness of LWE August 12, 2013 10/ 18

  18. An example of Public-Key Encryption [Regev 2005] ◮ Parameters : n, m, q ∈ Z , α ∈ R , ◮ Keys : sk = s and pk = ( A , b ) , with b = A s + e mod q ֓ U ( Z n ֓ U ( Z m × n where s ← q ) , A ← ) , e ← ֓ D Z m ,αq . q ◮ Encryption ( M ∈ { 0 , 1 } ) : Let r ← ֓ U ( { 0 , 1 } m ) , r r u T = A , v = + ⌊ q/ 2 ⌉ . M b ◮ Decryption of ( u , v ) : compute v − u T s , r r s s A A e + ⌊ q/ 2 ⌉ . M − = + small + ⌊ q/ 2 ⌉ . M � �� � � �� � v u T s LWE hard ⇒ Regev’s scheme is "secure" . Adeline Langlois Hardness of LWE August 12, 2013 10/ 18

  19. Reminders ◮ Hard problem on lattices: GapSVP. ◮ Lattice-based cryptography: Security proof based on reduction from GapSVP to a problem ( = a protocol attacker). ◮ Learning With Errors problem: Distinguish between ( A , b ) uniform and ( A , As + e mod q ) , where A ← U ( Z m × n ) , s ← U ( Z n q ) is secret, and e Gaussian. q ◮ Public-key encryption: security based on hardness of LWE. Adeline Langlois Hardness of LWE August 12, 2013 11/ 18

  20. Prior reductions from worst-case lattice problems to LWE ◮ [Regev05] ◮ A quantum reduction; Quantum computer? ◮ with q polynomial. ◮ [Peikert09] ◮ A classical reduction; ◮ with q exponential, Inefficient primitives ◮ [Peikert09] ◮ A classical reduction; ◮ based on a non-standard lattice problem; Hardness? ◮ with q polynomial. Adeline Langlois Hardness of LWE August 12, 2013 12/ 18

  21. Prior reductions from worst-case lattice problems to LWE ◮ [Regev05] ◮ A quantum reduction; ◮ with q polynomial. Our main result ◮ [Peikert09] ◮ A classical reduction, ◮ A classical reduction; ◮ from a standard worst-case ◮ with q exponential, lattice problem, ◮ with q polynomial. ◮ [Peikert09] ◮ A classical reduction; ◮ based on a non-standard lattice problem; ◮ with q polynomial. Adeline Langlois Hardness of LWE August 12, 2013 12/ 18

  22. Main component in the proof: a self reduction ◮ Recall that [Peikert09] already showed hardness of LWE with q exponential. How do we obtain a hardness proof for q polynomial? Adeline Langlois Hardness of LWE August 12, 2013 13/ 18

  23. Main component in the proof: a self reduction ◮ Recall that [Peikert09] already showed hardness of LWE with q exponential. How do we obtain a hardness proof for q polynomial? ◮ All we have to do is show the following reduction: in dimension n From LWE with modulus q k , in dimension nk to LWE with modulus q . Adeline Langlois Hardness of LWE August 12, 2013 13/ 18

  24. Modulus Switching A reduction from LWE with modulus q to LWE with modulus p . How to map ( A , As + e ) mod q to ( A ′ , A ′ s + e ′ ) mod p ? ) to A ′ ← ◮ Transform A ← ֓ U ( Z m × n ֓ U ( Z m × n ) ; q p First idea: A ′ = ⌊ p q A ⌉ ? Adeline Langlois Hardness of LWE August 12, 2013 14/ 18

Recommend


More recommend